2.9 PKI

The PKI method enables you to authenticate using any PKI device, such as a contact card and USB token that contains the digital certificate. The PKI reader validates the digital certificate and the identity of users. When you try to authenticate on any device, the certificate in the device is compared with the actual certificate. If the certificates are identical, you are authenticated successfully.

NOTE:You must install Advanced Authentication Device Service for the PKI method enrollment.

2.9.1 Enrolling the PKI Authenticator

  1. Click the PKI icon in Add Authenticator.

  2. (Optional) Specify a comment in the Comment.

  3. (Optional) Select the preferred category from the Category.

    A message Waiting for the card is displayed.

  4. Click Save.

  5. Insert the card in reader or connect the token to the machine.

    A message Use an existing certificate or generate a key pair is displayed.

  6. Select a key from Key.

    If you have connected the token or card reader, the certificate type and expiry date of certificate is populated in Key automatically.

  7. Specify PIN code of the device.

  8. Click Save.

    A message Authenticator "PKI" has been added is displayed.

2.9.2 Testing the PKI Authenticator

  1. Click the PKI icon in Enrolled methods.

  2. Click Test.

    A message Waiting for card... is displayed.

  3. Insert your card or connect your token to the machine.

  4. Specify the PIN of the device in PIN.

    If the test is successful, a message Authenticator "PKI" passed the test is displayed. If the card is invalid, a message Wrong card is displayed. If the specified PIN is invalid, a message Incorrect PIN is displayed.

The following table describes the possible error message along with the workarounds for the PKI authentication.

Table 2-5 PKI authenticator - error messages

Error

Possible Cause and Workaround

Card reader connected

When a card is not inserted to the reader or the token is not connected to the machine. Insert the card to the reader or connect token to the machine.

Enroll failed: Cannot check revocation status for …

When the certificate on your device does not contain information about the revocation status location or if the information is inserted, but the Certificate Authority is not available to verify the revocation status.

PKI service is not available

The Advanced Authentication Device Service is not installed on the system. Install the Device Service and try authenticating again.

Key not found. Wrong Card?

You have enrolled the PKI authenticator in the RDP session. Enroll the authenticator again in normal session.

PIN is expired

The PIN assigned to your token has expired. Contact your administrator for the new PIN.

PIN is locked

After certain number of attempts with the incorrect PIN, the PIN is locked. Contact your administrator to reset the PIN.

Token is not present

Token is not connected to the system. Connect the token and try authenticating again.

Token is not recognized

The Device Service is unable to detect the DLL to recognize the token.

NOTE:The following are the unexpected error codes that are displayed from a PKCS#11 module:

  • CKR_DEVICE_ERROR: The token or USB slot is broken. Try to use a different USB slot.

  • CKR_DEVICE_MEMORY: There is no space available in the memory of token or there may be some other issue with the memory.

  • CKR_MECHANISM_INVALID: An invalid mechanism was specified to the cryptographic operation.

  • CKR_PIN_EXPIRED: Ensure that the card has been initialized or do not use the default PIN and the PIN has expired.

  • CKR_PIN_LOCKED: The user PIN is locked.

  • CKR_TOKEN_NOT_RECOGNIZED: The token has not been recognized.

  • OPERATION FAILED: Contact your system administrator to analyze the debug logs.